CVE-2025-56200 (Medium) detected in validator-13.7.0.tgz #10669
Description
CVE-2025-56200 - Medium Severity Vulnerability
Vulnerable Library - validator-13.7.0.tgz
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-13.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- api-documenter-7.16.0.tgz (Root Library)
- node-core-library-3.45.1.tgz
- z-schema-5.0.2.tgz
- ❌ validator-13.7.0.tgz (Vulnerable Library)
- z-schema-5.0.2.tgz
- node-core-library-3.45.1.tgz
Found in HEAD commit: 4da33a135a4bd43014f93ddd50635033b4a3aba8
Found in base branch: main
Vulnerability Details
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.
Publish Date: 2025-09-30
URL: CVE-2025-56200
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None